Multiple 1:1-NAT with multiple DHCP

Started by lucasgirod, February 08, 2021, 07:27:58 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 08, 2021, 07:27:58 PM
Newbie question here...

I'm trying to do the following:

My ISP does not provide static IPs, but multiple IPs via DHCP.
I have two Synologys which I want to be externally accessible (Ports 80,443, DynDNS), both are on the LAN.

I tried the following:

Attach 3 Ports to the ISP-Side (WAN, SYNO1, SYNO2)
Assign Alias-IPs for SYNO1 and SYNO2
1:1-NATs from Alias-IP1 to SYNO1 and Alias-IP2 to SYNO2.
But no luck...

It works if I use the DHCP-Adress for 1:1-NAT, but as this address can change this is obviously not an option.

Can anyone point me in the right direction?

Thanks

Lucas
February 10, 2021, 12:14:15 AM #1
First off, I would pull the NIC plug on those synologys.  That configuration is asking for someone to breach your network quickly. 

Do you have multiple IP address from your ISP?  I'm guessing not; assuming I am correct, what you are trying to do is not intended for what your thinking.  I would recommend reading on basic networking specifically 1:1 NAT and port forward, and VPN. 
https://docs.opnsense.org/manual/nat.html
https://docs.opnsense.org/manual/vpnet.html

The FW protects your assets.  What you are configuring is exactly the opposite of this. 
February 10, 2021, 07:02:57 PM #2
Thanks for your reply, I think I didn't explain it clearly.

The Synologys are on the LAN, not on the WAN/ISP-Side, of course this would be extremly unsafe.
What I want to achieve ist for each synology to get its own public adress, but the public adresses are not static but DHCP. All traffic should go through the firewall with only a few ports open.

To get 3 public DHCP-Adresses (WAN, and 2 IPs I want to be able to use as public IP for the 1:1 NAT for each Synology) I connect 3 Ports to the ISP (as I cannot get 3 different DHCP-Adresses with just one port.)

VPN is not an option, as ports 80 and 443 need to be accessible from the wan-side

How can I do that?
February 10, 2021, 08:59:44 PM #3
Is the only reason for this setup that you need to run multiple web servers on the same port? That would be a typical use case for a reverse proxy. HAProxy and Nginx are available as OPNsense plugins and allow you to do that with a single WAN address.
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
February 13, 2021, 11:37:51 AM #4
That sounds like a plan. I'll check it out, thank you!
February 13, 2021, 03:58:04 PM #5
Quote from: lucasgirod on February 10, 2021, 07:02:57 PM
Thanks for your reply, I think I didn't explain it clearly.

The Synologys are on the LAN, not on the WAN/ISP-Side, of course this would be extremly unsafe.
What I want to achieve ist for each synology to get its own public adress, but the public adresses are not static but DHCP. All traffic should go through the firewall with only a few ports open.

To get 3 public DHCP-Adresses (WAN, and 2 IPs I want to be able to use as public IP for the 1:1 NAT for each Synology) I connect 3 Ports to the ISP (as I cannot get 3 different DHCP-Adresses with just one port.)

VPN is not an option, as ports 80 and 443 need to be accessible from the wan-side

How can I do that?

What are you running on there that needs 443 and 80 open to the internet?  DYNdns is outbound traffic and would be allowed by default.  If you're just trying to allow access back into the DSM interface, you should be using quickconnect which will setup a reverse tunnel.

If you're using xpenology and can't do quickconnect, then you should choose a non-standard port (not 443, not 5001) that's less likely to be exposed to roving worms, and only https, not http. 
Print
Go Up Pages1
User actions